Forewords

P1.1. Foreword by Mark Curphey

When the public talks about the Internet, in most cases they are actually talking about the Web. The reality of the Web today never ceases to amaze me, and the tremendous potential for what we can do on the Web is awe-inspiring. But, at the same time, one of the greatest fears for many who want to embrace the Web — the one thing that is often responsible for holding back the rate of change — is the security of Web technology. With the constant barrage of high profile news stories about hackers exposing credit card databases here and finding cunning ways into secret systems there, it’s hardly surprising that in a recent survey almost all users who chose not to use Internet banking cited security as the reason. Putting your business online is no longer optional today, but is an essential part of every business strategy. For this reason alone, it is crucial that users have the confidence to embrace the new era.

As with any new technology, there is a delay from the time it is introduced to the market to the time it is really understood by the industry. The breakneck speed at which Web technologies were adopted has widened that window. The security industry as a whole has not kept pace with these changes and has not developed the necessary skills and thought processes to tackle the problem. To fully understand Web security, you must be a developer, a security person, and a process manager. While many security professionals can examine and evaluate the security of a Windows configuration, far fewer have access to the workings of an Internet bank or an online book store, or can fully understand the level of security that an online business requires.

Until a few years ago, the platform choices for building secure Web applications were somewhat limited. Secure Web application development was the exclusive playground of the highly experienced and highly skilled developer (and they were more than happy to let you know that). The .NET Framework and ASP.NET in particular are an exciting and extremely important evolution in the Web technology world and are of particular interest to the security community. With this flexible and extensible security model and a wealth of security features, almost anything is possible in less time and with less effort than on many other platforms. The .NET Framework and ASP.NET are an excellent choice for building highly secure, feature-rich Web sites.

With that array of feature choices comes a corresponding array of decisions, and with each and every decision in the process of designing, developing, deploying, and maintaining a site can have significant security impact and implications.

Improving Web Applications Security: Threats and Countermeasures provides an excellent and comprehensive approach to building highly secure and feature-rich applications using the .NET Framework. It accurately sets the context — that security considerations and issues must be addressed with application design, development, deployment, and maintenance in view, not during any one of these phases in isolation. It cleverly walks you through a process, prescribing actions and making suggestions along the way. By following the guide from start to finish you will learn how to design a secure application by understanding what’s important to you, who will attack you, and what they will likely look for, and build countermeasures to protect yourself. The guide provides frameworks, checklists, and expert tips for threat modeling, design and architecture reviews, and implantation reviews to help you avoid common mistakes and be secure from the start. It then delves into the .NET security technology in painstaking detail, leading you through decisions you will need to make, examining security components and things you should be aware of, and focusing on issues that you cannot ignore.

This is the most comprehensive and well-written guide to building secure Web applications that I have seen, and is a must read for anyone building a secure Web site or considering using ASP.NET to provide security for their online business presence.

P1.1.1. Mark Curphey

Mark Curphey has a Masters degree in Information Security and runs the Open Web Application Security Project. He moderates the sister security mailing list to Bugtraq called webappsec that specializes in Web application security. He is a former Director of Information Security for Charles Schwab, consulting manager for Internet Security Systems, and veteran of more banks and consulting clients than he cares to remember. He now works for a company called Watchfire. He is also a former Java UNIX bigot now turned C#, ASP.NET fan.

P1.2. Foreword by Joel Scambray

I have been privileged to contribute to Improving Web Application Security: Threats and Countermeasures, and its companion volume, Building Secure ASP.NET Web Applications. As someone who encounters many such threats and relies on many of these countermeasures every day at Microsoft’s largest Internet-facing online properties, I can say that this guide is a necessary component of any Web-facing business strategy. I’m quite excited to see this knowledge shared widely with Microsoft’s customers, and I look forward to applying it in my daily work.

There is an increasing amount of information being published about Internet security, and keeping up with it is a challenge. One of the first questions I ask when a new work like this gets published is: "Does the quality of the information justify my time to read it?" In the case of Improving Web Application Security: Threats and Countermeasures, I can answer an unqualified yes. J.D. Meier and team have assembled a comprehensive reference on Microsoft Web application security, and put it in a modular framework that makes it readily accessible to Web application architects, developers, testers, technical managers, operations engineers, and yes, even security professionals. The bulk of information contained in this work can be intimidating, but it is well-organized around key milestones in the product lifecycle — design, development, testing, deployment, and maintenance. It also adheres to a security principles-based approach, so that each section is consistent with common security themes.

Perhaps my favorite aspect of this guide is the thorough testing that went into each page. During several discussions with the guide’s development team, I always came away impressed with their willingness to actually deploy the technologies discussed herein to ensure that the theory portrayed aligned with practical reality. They also freely sought out expertise internal and external to Microsoft to keep the contents useful and practical.

Some other key features that I found very useful include the concise, well-organized, and comprehensive threat modeling chapter, the abundant tips and guidelines on .NET Framework security (especially code access security), and the hands-on checklists for each topic discussed.

Improving Web Application Security: Threats and Countermeasures will get any organization out ahead of the Internet security curve by showing them how to bake security into applications, rather than bolting it on as an afterthought. I highly recommend this guide to those organizations who have developed or deployed Internet-facing applications and to those organizations who are considering such an endeavor.

P1.2.1. Joel Scambray

Senior Director of Security, MSN Co-Author, Hacking Exposed Fourth Edition, Windows, and Web Applications

P1.3. Foreword by Erik Olson

For many years, application security has been a craft learned by apprenticeship. Unfortunately, the stakes are high and the lessons hard. Most agree that a better approach is needed: we must understand threats, use these hard lessons to develop sound practices, and use solid research practices to provide layers of defense.

Web applications are the portals to many corporate secrets. Whether they sit on the edge of the lawless Internet frontier or safeguard the corporate payroll, these applications are a popular target for all sorts of mischief. Web application developers cannot afford to be uncertain about the risks to their applications or the remedies that mitigate these risks. The potential for damage and the variety of threats is staggering, both from within and without. However, while many threats exist, the remedies can be crystallized into a tractable set of practices and procedures that can mitigate known threats and help to guard against the next unknown threat.

The .NET Framework and the Common Language Runtime were designed and built with these threats in mind. They provide a powerful platform for writing secure applications and a rich set of tools for validating and securing application assets. Note, however, that even powerful tools must be guided by careful hands.

This guide presents a clear and structured approach to dealing with Web application security. In it, you will find the building blocks that enable you to build and deploy secure Web applications using ASP.NET and the .NET Framework.

The guide begins with a vocabulary for understanding the jargon-rich language of security spoken by programmers and security professionals. It includes a catalog of threats faced by Web applications and a model for identifying threats relevant to a given scenario. A formal model is described for identifying, classifying, and understanding threats so that sound designs and solid business decisions can be made.

The text provides a set of guidelines and recommended design and programming practices. These guidelines are the collective wisdom that comes from a deep analysis of both mistakes that have been made and mistakes that have been successfully avoided.

The tools of the craft provided by ASP.NET and the .NET Framework are introduced, with detailed guidance on how to use them. Proven patterns and practices for writing secure code, using data, and building Web applications and services are all documented.

Sometimes the desired solution is not the easiest path. To make it faster and easier to end up in the right place, the authors have carefully condensed relevant sample code from real-world applications into building blocks.

Finally, techniques for assessing application security are provided. The guide contains a set of detailed checklists that can be used as guidelines for new applications or tools to evaluate existing projects.

Whether you’re just starting on your apprenticeship in Web application security or have already mastered many of the techniques, you’ll find this guide to be an indispensable aid that will help you build more secure Web applications.

P1.3.1. Erik Olson

Program Manager, ASP.NET Product Team Microsoft Corp.

P1.4. Foreword by Michael Howard

The notion that security is only as good as the weakest link is as valid today as it was 15 or so years ago, and it is especially true in today’s Web-enabled applications. This truism was emphasized during the eWeek OpenHack contest of October 2002, when various software vendors were pitted against each other in the most hostile of environments — the Internet. During the contest, the computer running Oracle 9i Application Server was compromised in a little over two hours. The defect, that of not checking that user input was well formed and correct, was not in the core Oracle software. The error lay in the custom application that rode atop the server software. The same error could easily have occurred in any Web-based application written in, say, ASP.NET, Perl, or PHP.

Based on my experience, I can safely say that many people focus on securing the "core" code and features, and give the security of features that depend on the core short shrift. You simply cannot do this in a hostile environment such as the Web. Building secure systems requires skill, education, and discipline at every stage of development: from design to coding to testing to documentation to deployment, and finally, to management. Each and every step must be as secure as possible. This is why I am excited about Improving Web Application Security: Threats and Countermeasures. It’s the first book to offer a "soup to nuts" view of building a secure Web-based system using the Microsoft .NET Framework and ASP.NET. The fact that the authors chose to focus on the Web-based product development end-to-end lifecycle — and not just on securing small islands of technology — is a testament to much of the work we are undertaking at Microsoft as part of the Trustworthy Computing initiative. Delivering security and privacy to customers requires the engagement of every person involved in the software process, rather than focusing on single events or a single development discipline.

This book has something of value for everyone involved in software development, deployment, and management, because everyone involved in these efforts has an impact on product security. I would urge you, at a minimum, to read the sections that affect your discipline. You will learn critical skills, and most importantly, you will secure every link in the chain. After all, it takes only one loose thread and the entire garment unravels!

P1.4.1. Michael Howard

Senior Program Manager, Secure Windows Initiative Co-author Writing Secure Code